In the eighties when the Internet was in its infancy, its main usage came from university students and professors in an atmosphere of implicit trust. This means that security was not the first thing in mind when the basic uses and functions of the Internet were first developed.
Nowadays the Internet is everywhere both in public and in private life. It has become a vital means for professional and personal - often confidential - communication. This has required security enhancements to be added to the various communication methods used on the internet after it became widely used. A lot of these enhancements are not implemented by default or require additional configuration.
In addition, most people do not have the appropriate knowledge or skills to secure their internet usage enough or they might simply feel it they don't need it. Also vendors and providers are to blame for not pushing more secure technology and methods by default. But maybe you worry about your login codes being accessed when using wireless networks on a trip, or you want to securely lock your laptop when leaving it in a hotel. Possibly you need to encrypt your e-mails, because you have contacts in countries with a high level of internet censorship.
This manual tries to fill that gap by providing some basic knowledge, and also more sophisticated techniques for those who need them, to make sure that your data is not easily accessed by others. As a matter of fact, internet security is not that difficult.
Absolute security does not exist, security is always related to who your adversaries might be. Security is therefore about informing yourself and assessing the possible risks you, and others you communicate with, are facing. Make sure you reserve some time to choose the right tools, install everything properly, and test if it works. Compare it with driving a car: it takes a little bit of practice, and some judgement on others' behaviour, but as soon you are in control it can safely get you where you want.
To make a choice between the types of tools you need, it helps to make a distinction between two basic types of 'threats': undirected threats and directed threats.
Most of the threats we are facing are automated undirected threats and luckily these are also the easiest to defend against. Unfortunately, we are sometimes also subjected to directed threats, for which we need some extra safety measures. We will shortly go into these issues and refer to the appropriate chapters so you can start your way.
Undirected threats are threats that are not directed at you personally, but might still affect you. Examples include phishing emails and computer virus infections. These methods are always automated and are just looking to get new victims, that can be everyone. Some schemes can evolve into a directed threat (for example when responding to e-mails telling you you won the "Spanish online lottery"). Also unprotected websites, or networks, can be dangerous if you fill in your login codes or credit card information.
These threats can be compared to walking around in an unknown city, ending up in the wrong neighborhood and getting mugged. This book aims to be your city guide helping to prevent you to be at the wrong place at the wrong time. To protect yourself from this type of threats we recommend you to read at least the sections on General Computer Security, Secure E-mailing and Secure Browsing. Next to that it is key to keep your wits about you, keep your eyes and ears open and don't loose your common sense.
Directed threats are the most dangerous ones. A long known wisdom amongst security specialists is the notion that "Only amateurs attack machines, professionals attack people." Directed threats are aimed at you personally or your organization and might involve a lot of different techniques. Attackers will use a mix of social engineering, sophisticated tools, luck and hard work. Directed attacks are a lot more expensive to undertake than undirected ones, as mostly they require more skills and work hours.
One source for directed attacks can be people you know, for example co-workers, your boss, your spouse or friends. They might do so out of curiosity or for worse purposes. Small measurements might be enough to counter these attacks, like using a password on your computer and locking your screen when leaving your computer unattended.
Also thieves that gained access to your bank account, for example through phishing or spying on unprotected networks, are considered a serious threat to the internet user.
Another source of directed threats are (repressive) societies. Governments have a range of motivations for monitoring or restricting different kinds of people's online activity.
Of course, there are several reasons why you might need some guidance for internet security. Who are possible users that can have personal or professional reasons to take extra safety measures.
Journalists probably face directed threats. Organized crime, corruption, and government brutality are dangerous subjects to cover. You may need to protect yourself and your sources of information.
Bloggers can encounter similar problems. You may want to write about everyday life, but issues are silenced or unpopular because of ethnicity or gender. You might prefer anonymity or need it to connect with a support group.
Diplomats are also under heavy surveillance, as we know from the Wikileaks affair. You'd rather communicate in a safe way with your colleagues because the the content of your e-mails could have damaging effects.
Activists may want to improve your government or are seeking a new one. You may want to expose environmental issues, labor abuses, fraud, or corruption at your place of work. Your government and employers are not going to be happy about this no matter the time of year, but they may put more effort into monitoring you if they suspect that there will be protests in the streets soon.
Internet users: You might want to increase your security while browsing or mailing so you are better defended against undirected attack, or you might be just fed up with companies storing all your data for financial purposes, or suggesting you all sorts of things about yourself and your friends.
If you think you need to secure your internet use, we'd be happy to give you a hand with this manual and helping counter-attacking some of the problems you face. The chapters encompass general introductions that indicate which are the more basic steps to be taken for internet security, and what are the more complex operations to be handled. Even if those techniques of assurance may sound more demanding, they are explained step by step with illustrations and turn out to be not so difficult to implement.
In the end you are the only one who can best asses the risks you are taking and to which threats you are exposing yourself and your peers. If you are in need of more in depth information aimed at human rights defenders, there is an excellent one called "Security in-a-box"created by the Tactical Technology Collective and Frontline. It is freely available online and as a download at https://security.ngoinabox.org. Additionally, if you live in a country that actively restricts access to parts of the Internet you might find the Floss Manual on bypassing censorship to be of interest to you, it is located at http://en.flossmanuals.net/bypassing-censorship. Know that manuals in general can't guarantee total security and that it is by no means a replacement for a professional risk assessment and an organization wide security (and travel) policy.
This manual is also to be used in an interactive way. In order to work, it needs to be kept reflected upon and updated. Do get in touch if we missed something, if you want to contribute, or if you just want to get in touch!